Is this related to the yahoo counter starts infection? Sounds suspiciously similar. If it is, this has been going on longer than most people iv talked to know about. Considering this was article written Friday, 2 March, 2007!

Check out this article if you haven't found it already.

http://asap.ap.org/stories/1262675.s

I got this email from my web host today. The one that i mentioned in some of my other blog posts when i was talking about the Yahoo Counter Starts code injection problem that was, and from what i can tell still is a huge problem for thousands of web sites, and iv started also finding it in other large hosts such as http://www.hostmonster.com.

The email i received from IX is below:

We would like to inform you of the new security updates we are making at IX Web Hosting. In our ongoing efforts to maintain security, we have dedicated our system administration team to investigating all possible vulnerabilities. One of the necessary updates we are making to enhance security is to change all FTP passwords. This will ensure that all of the protective measures we have and will be taking remain impervious to outside influence – this includes any security compromises that exist on the Internet that may negatively affect your account.

If you experience any problems logging in to your account via FTP, please take a look at the following information to regain FTP access.

You can visit http://www.ixwebhosting.com/index.php/pages.manual14 for an in-depth tutorial with screenshots on how to update your FTP password, or you can follow the simple steps below.

* Visit https://manage.ixwebhosting.com and login.
* Look for the section called "Hosting Products" and click on the Manage button for your hosting account.
* Look for an icon called "FTP Manager" and click on it. In this area, you will find an icon that resembles a pencil and paper. Click on it to change your FTP password. Please note: to ensure the security of your website, you should not use the same password as your previous password.

It is always recommended that you choose a strong password. We have provided you with a website which will help evaluate the strength of the password you choose:
http://www.microsoft.com/protect/yourself/password/checker.mspx

We are in the process of performing several upgrades to strengthen security. As new developments are made on the server-side and in regards to your FTP account, we will be sure to keep you informed!

We would like to sincerely thank you for your understanding and also, of course, for hosting with us. If you have any questions about this topic, please contact us via ticket, live chat or our 24/7 phone support. We are here for you 24/7 and would be happy to address any concerns you might have!

Thanks again,
Sammie Taunton
Director of Customer Relations
www.ixwebhosting.com

Link: http://vbadvice.blogspot.com/2008/12/yahoo-counter-starts-trojan.html

I found this excellent advice for the removal of the Yahoo! Counter starts' trojan from your database. This was a VBulletin user.

I found a relatively simple fix for the 'Yahoo! Counter starts' trojan that affects VBulletin and other forum software. Here's what I did:

I did a backup of the SQL database in VBulletin:
I went into the Admin Panel; clicked Maintenance, database backup.
At the bottom of that page, I went to the section that says
Backup database to a file on the server. Then I did the following:

1. made new directory within the /forum/ folder called /backup
2. made new directory worldwritable
chmod 777 backup
3. entered location for backupfile in Admin panel:
./backup/forumbackup-year-month-day.sql
4. Clicked save

Then I went into site by FTP and downloaded the SQL backup file,
and deleted the file from the site, and deleted the folder.

Then I searched the backed up SQL file for 'Yahoo! Counter' and found
two sections of code that had been inserted into the database by the trojan.

I found the code by doing a backup of the entire database with vBulletin,
then searching the SQL file generated by that back up.
Both sections of code have 'Yahoo! Counter' in them.

Then I logged into my website hosting company's control panel, and used
PHPmyadmin to go into the mySQL database (I have IXwebhosting), and
I edited the affected tables (the names of the tables were found from the
previous search of the backed up SQL file).

datastore options
[datastore is the name of a table in the database,
and options is a section within that table]

and likewise with:

setting description

The section of bad code in datastore begins with:

1108:\"\" />

and then continues on to include:

Yahoo! Counter starts

and then continues on to end with:

name=\"yahoo\" content=\"count\"

and the repaired code in 'datastore options' should include:

;s:11:\"description\";s:0:\"\";s:12:\"useforumjump\";i:1

The bad code had changed
;s:0:
to
;s:1108:
and then added the malicious code after the 1108. So after deleting the bad section of code, I made sure the repaired code had the zero and not the 1108

The section of bad code in 'setting description' was easier to fix.
This good code:

INSERT INTO setting VALUES('description', 'general', '',
'This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .',
'', '20', '0', '1', 'free', 'vbulletin', '', '0');

had been replaced by a long section of code that included the text:
Yahoo! Counter starts

I replaced that long section of code with the text:

This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .

This worked for me. I don't know if it will work for anyone else.
Proceed similarly at your own risk.
Good luck!
Posted by JT at 6:08 PM

Well first.. happy new year people. I just did a check up of my web sites, and all are still clean. Again, they have been clean since i started over with a new mysql database, a new set of files (all files, php and HTML)and changed my FTP passwords. If your reading this for the first time, check my earlier posts for info on how to clean up existing databases, and some other useful info. If i find out for sure how this junk got on our web servers in the first place ill pass that info on to you.

I did something very interesting the other day and forgot to mention it. I did a google search for key words "yahoo counter starts" and found about a bazillion results of web sites that actually had the code injected in their pages still.

I did a WHOIS on 50 of them, and 47 were hosted by Ecommerce Corporation which is IX Webhosting. Am i wrong but does it seem like there is indeed something up with IX webhosting? Why would so many of their customers have this problem? I'm not the brightest bulb in the chandelier but i cant figure out how to pick a particular web host company and target their customers. Further evidence to suggest that IX has / had some sort of security issue on the back end?